arXiv:1509.07337vl [cs.IT] 24 Sep 2015 


A new class of rank-metric codes and their list decoding beyond the 

unique decoding radius 

Chaoping Xing and Chen Yuan 


School of Physical & Mathematical Sciences, Nanyang Technological University, Singapore. 
Emails: xingcp@ntu.edu.sg; yuan0064@e.ntu.edu.sg 

Abstract 

Compared with classical block codes, efficient list decoding of rank-metric codes seems more diffi¬ 
cult. The evidences to support this view include: (i) so far people have not found polynomial time list 
decoding algorithms of rank-metric codes with decoding radius beyond (1 — i?)/2 (where R is the rate 
of code) if ratio of the number of rows over the number of columns is constant, but not very small; (ii) 
the Johnson bound for rank-metric codes does not exist as opposed to classical codes; (iii) the Gabidulin 
codes can not be list decoded beyond half of minimum distance. Although the list decodability of ran¬ 
dom rank-metric codes and limits to list decodability have been completely determined, little work on 
efficient list decoding rank-mettic codes has been done. The only known efficient list decoding of rank- 
metric codes C gives decoding radius up to the Singleton bound l — R — e with positive rate R when p{C) 
is extremely small, i.e., 0(e^) , where p{C) denotes the ratio of the number of rows over the number of 
columns of C iflTl STOC2013]. It is commonly believed that list decoding of rank-metric codes C with 
not small constant ratio p{C) is hard. 

The main purpose of the present paper is to explicitly construct a class of rank-metric codes C with not 
small constant ratio p(C) and efficiently list decode these codes with decoding radius beyond [1 — R) /2. 
Specifically speaking, let r be a prime power and let c be an integer between 1 and r — 1. Let e > 0 be 
a small real. Let q = with gcd(r — 1, In) = 1. Then there exists an explicit rank-metric code C in 

Mnx(r-i)n(]F'(j) with rate R that is (r, 0(exp(l/e^)))-list decodable with r = ~ ^ R — e^. 

Furthermore, encoding and list-decoding algorithms are in polynomial time poly(n, exp(l/e)). The list 
size can be reduced to 0(l/e) by randomizing the algorithm. Note that the ratio p{C) for our code C is 
l/(r — 1). Our key idea is to employ two-variable polynomials f{x, y), where / is linearized in variable 
X and the variable y is used to “fold” the code. In other words, rows are used to correct rank errors 
and columns are used to “fold” the code to enlarge decoding radius. Apart from the above algebraic 
technique, we have to prune down the list. The algebraic idea enables us to pin down the messages 
into a sttuctured subspace of dimension linear in the number n of columns. This “periodic” structure 
allows us to pre-encoding the messages to prune down the list. More precisely, we use subspace design 
introduced in ifTTl STOC2013] to get a deterministic algorithm with a larger constant list size and employ 
hierarchical subspace-evasive sets introduced in iflhl STOC2012] to obtain a randomized algorithm with 
a smaller constant list size. 
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1 Introduction 


Rank-metric codes were first introduced by Delsarte in |T] and have found applications in network cod¬ 
ing lIT^ and public-key cryptography @|23l. These codes are closely related to space-time codes over finite 
fields imini. Unique decoding algorithms for rank-metric codes within half minimum distance have been 
extensively studied @|T8l. However, efficient list decoding of rank-metric codes seems more difficult than 
that of classical block codes. There are several evidences to support this view. Firstly, people have not 
found polynomial-time list decoding algorithms with decoding radius beyond (1 — i?)/2 (where R is the 
rate of code) if ratio of the number of rows over the number of columns is a constant, but not very small. 
Secondly, the Johnson bound does not exist as opposed to classical codes ll^ . Thirdly, an important class 
of rank-metric codes introduced by Gabidulin f7l that are similar to Reed-Solomon codes can not be list 
decoded beyond half of minimum distance |[20ll . The purpose of this paper to design polynomial time list 
decoding algorithms for rank-metric codes with decoding radius beyond (1 — i?)/2. 

Before introducing known results and our main results in this paper, we first define list decodability of a 
rank-metric code. A rank-metric code over finite filed Fg is subsef of M„xt(Fq), where M„xt(Fq) denotes 
the set of n X t matrices over ¥g. Without loss of generality, we always assume f ^ n for a rank-metric code 
in M„xt(Fg). 

Definition 1. The rank-metric ball of center M G M„xt(Fg) and radius d is defined to be the set {X G 
(Fg) : rank(A — M) ^ d}. A rank-metric code C is called (r, L)-list decodable if, for every matrix 
M G M„xt(Fg), there is at most L codewords ofC in the rank-metric ball of center M of radius rn. 

1.1 Known results 

Unlike list decoding classical codes, there are very few results in literature for efficient list decoding of 
rank-metric codes. The only known efficient list decoding of rank-metric codes in the asymptotic sense 
gives decoding radius up to the Singleton bound 1 — i? — e when ratio of the number of rows over the 
number of columns is 0(e^) ifTTl STOC2013]. On the other hand, list decodability of random rank-metric 
codes and limits on list decodability of rank-metric codes are completely known ||2l|22l. More precisely, we 
have the following result. 

Proposition 1.1. (see Tet n/t tend to a fixed constant p. Then for any real R G (0,1), a rank-metric 
code C C M„xt(Fg) of rate R that is (r, L)-list decodable with L = poly(n) must obey R ^ (1—r)(l—pr). 
On the other hand, with high probability a random rank-metric code of rate R in M„xt(Fg) is (r, 0{l/e))- 
list decodable with R = [1 — t)(1 — pr) — £ for any small real e > 0. In particular, if n/t tends to 
a fixed small constant e, then with high probability a random rank-metric code of rate R in M„xt(Fg) is 
(1 — R — £, 0{l/£))-list decodable. 

The above result tells that R= (1 — r)(l — pr) is the limit to the list decoding of rank-metric codes and 
moreover most random codes can achieve this limit. The question is how to explicitly construct these codes 
and efficiently list decode them. It is natural to start with the Gabidulin codes because they are very similar 
to the classical Reed-Solomon codes. Both of these two classes of codes are constructed from evaluations 
of polynomials. As the Reed-Solomon codes can be list decoded up to the Johnson bound lfT3l . people 
hoped to list decode the Gabidulin codes at least beyond half of the minimum distance, i.e., r > (1 — ii)/2. 
Unfortunately, it was first shown in ll22ll that list decodability of the square Gabidulin codes does not exceed 
the bound r = 1 — sfR and recently it was shown in |[20l that list decodability of the square Gabidulin 
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codes does not exceed half of the minimum distance, i.e., {1 — R)/2 for a certain family of parameters. This 
implies that decoding radius of list decoding the square Gabidulin codes is not better than unique decoding. 

Inspired by good list decodability of the folded Reed-Solomon codes lIT^ . people started to consider list 
decoding of folded Gabidulin codes llT9l . However, the rate of the folded Gabidulin code in llT9l tends to 
0. In 2013, Guruswami and Xing lUTl considered subcodes of the Gabidulin codes via point evaluation in a 
subfield and showed that list decodability of subcodes of the Gabidulin codes achieves the Singleton bound 
r = 1 — i?. However, the ratio p = n/t of the rank-metric code C C M„xt(®’q) constructed by Guruswami 
and Xing ifTTl is 0(e^). This is slightly weaker than random rank-metric codes where the ratio p = n/t can 
achieve 0(e). So it is still an open problem to explicitly construct rank-metric codes in M„xt(Fij) with ratio 
p = n/t = Q{e) and decoding radius t = 1 — R — e and efficiently list decode them. 

There has been no much progress on a more interesting case where the ratio p = n/t is not too small. 
Hence, an even more important open problem in the topic of list decoding rank-metric codes is the following 

Open Problem. For a given constant ratio p = n/t G (0,1) (not very small), explicitly 
construct rank-metric codes of rate R in Mnxt(®’q) with decoding radius r > (1 — i?)/2 and 
efficiently list decode them. 


1.2 Our results 


The present paper moves the first step towards solving the above Open Problem. We first construct explicit 
rank-metric codes and then consider list decoding of these rank-metric codes. As a result, we present two 
decoding algorithms, one deterministic algorithm and one Monte Carlo algorithm. Both the algorithms give 
the same decoding radius that is bigger than (1 — ii)/2. More precisely, we have the followings. 

Theorem 1.2. (Main Theorem) Let r be a prime power and let c be an integer between 1 and r — 1. Let 
e > 0 be a small real. Let q = with gcd(r — l,£n) = 1. 


(i) There exists an explicit rank-metric code in M„x(r-i)n(l^g) with rate R that is (r, 0(exp(l/e^)))-/At 

decodable with r = ~ ^ R — e^. Furthermore, encoding and list-decoding algorithms 

are in polynomial time poly(n, exp(l/e)). 

(ii) With high probability one can randomly sample a rank-metric code in M„x(r-i)n(^^<j) with rate R 

that is {T,0{l/e))-list decodable with r = — ^5^ x R — e^. Furthermore, encoding and 

list-decoding algorithms are in polynomial time poly(n, exp(l/e)). 


Remark 1. (i) In the above main theorem, if we fix r and c wifh 2 ^ c ^ r — 1, fhen 


c 

c+ 1 






for any 0 ^ i? < This means fhaf our decoding radius breaks fhe unique decoding radius for 


R G 


0, ). For insfance, faking r = 3 and c = 2 gives a rank-mefric code C C 


^nx2n 




of rafe 


R and decoding radius r = |(1 — 2R) which is bigger fhan ^{1 — R) for R < i. In fhis case, fhe 
rafio p = n/t is 1/2. 
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(ii) By Proposition 11.11 a rank-metric code C C M„xi(lF'g) of rate R that is (r, L)-list decodable with 
L = poly(n) must obey R ^ {1 — r)(l — pr), where p is the ratio n/t. In our case, the ratio 
p = n/t = l/(r — 1). Thus, we must have i? ^ (1 — r) ^1 — ■ The decoding radius in the above 

theorem gives R ss (l — ^ x r) and indeed, one can easily check that 


r — c 
r — 1 


1 — X r ) < (1 — r) ( 1 — 


r — 1 


(iii) Unfortunately, our main theorem does not improve the unique decoding bound for square rank-metric 
codes. To get square matrices, r has to be 2. In this case, we can only take c = 1. Then the decoding 
radius in the above main theorem gives r = ^(1 — i?) which is the same as the unique decoding 
radius. 

In the above theorem, setting r = 0 and c = 0 (i) gives the following corollary. 

Corollary 1.3. Let e > 0 be a small real. Let r = 0 and q = with gcd(r — l,in) = 1. 

(i) There exists an explicit rank-metric code in M„x(r-i)n(^^g) with rate R that is (r, 

list decodable with r = 1 — R — e. Furthermore, encoding and list-decoding algorithms are in 
polynomial time poly(re, exp(l/e)). 

(ii) With high probability one can randomly sample a rank-metric code in M„x(r-i)n(I^(j) with rate R 
that is (r, 0((l/e))). Furthermore, encoding and list-decoding algorithms are in polynomial time 
poly(n, (exp(l/e)). 

Remark 2. (i) See Remarks [5] and 0 for discussion of the list sizes in Corollary 1 1.31 

(ii) The ratio in the above corollary is/j = n/f = l/(r — 1) = 0(e^). This ratio is the same as the one in 
ifTTl STOC2013]. Thus, the above corollary matches the result of ifTTl STOC2013]. 


1.3 Our techniques 

It was shown in If20l l that list decodability of a Gabidulin codes is not beyond the unique decoding bound 
r = (1 — i?)/2. In the classical case of Reed-Solomon codes, the decoding radius can be enlarged by folding 
Reed-Solomon codes. The question is how to properly fold Gabidulin codes to enlarge decoding radius. At 
the same time, we have to make use of linearized polynomials in order to correct rank errors. Our key idea 
is to employ two-variable polynomials f{x, y), where / is linearized in variable x and the variable y is used 
to fold the code. In other words, rows are used to correct rank errors and columns are used to fold the code 
to enlarge decoding radius. 

The algebraic idea enables us to pin down the messages into a structured subspace of dimension linear 
in the number n of columns and this “periodic” structure allows us to pre-encode the messages to prune 
down the list. Two approaches are employed to pin down our list, namely subspace design introduced in 
IfTTl STOC2013] and hierarchical subspace-evasive (h.s.e. for short) sets introduced in ifT^ STOC2012]. 
The coefficients of polynomials in the list form a “periodic” subspace. After pre-encoding with subspace 
design or h.s.e., the new list becomes a constant. 
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1.4 Organization 


The paper is organized as follows. In Section 2, we provide a new construction of “folded” rank-metric 
codes and discuss their parameters. Section 3 devotes to list decoding of the rank-metric codes in Section 
2, including establishment of interpolation polynomial, solving of certain equations for list and discussion 
of decoding radius. In the last section, we make use of subspace design and hierarchical subspace-evasive 
sets to pre-encode the messages and pin down the list. The algorithm from subspace design is deterministic, 
while the algorithm from hierarchical subspace-evasive sets is Monte Carlo. 


2 Construction of rank-metric codes 

2.1 Rank-metric codes 

Before introducing our construction, we review some basic facts and results on rank-metric code. 

Let g be a prime power and denote by the set of n x f matrices over One can define the 

rank distance between two matrices A,B^ M„xi(IFq) to be the rank of A—B, i.e., d{A, B) = rank(^—S). 
Indeed this defines a disfance fT]. A rank-mefric code C is a subsef of M„xt(Fi}) wifh rafe and disfance given 
by 

log„ \C\ 

RiC) = — - - and diC) = min {d{A,B)\. 

nt a^bgc 

Wifhouf loss of generalify, from now on we may assume fhaf n ^ t (ofherwise, we can consider franspose 
of mafrices). As in fhe classical case, one has fhe following Singleton bound (see 0) 

d{C) ^ n — R(C)n -|- 1. (1) 

A code archiving fhe above Singleton bound is called Maximal Rank Disfance (or MRD for shorf) code. The 
mosf famous MRD codes are Gabidulin codes which are defined by using polynomial evaluafions. Recenfly, 
some MRD codes ofher fhan Gabidulin codes have been consfrucfed |[2T]| . 

To heller undersland our codes, we briefly review fhe conslruclion of Gabidulin codes fT|. A polynomial 
of fhe form f{x) = Yli=o is called q-linearized, where coefficienls Oj belong to fhe algebraic closure 
of Fq. The q-degree of f{x), denoted by degg(/), is defined to be f' if / 0. 

Lei 0<k<n<tbe integers, and choose Fg-linearly independenl elemenls ai,... ,an G Fgt. For 
every q-linearized polynomial / G F^t [A] of q-degree al mosf A: — 1, we can encode / by fhe column vector 
Af = (/(ai),..., f{an))'^ over F^t. By fixing a basis of F^t over Fg, we can also Ihink of Ay as an n x f 
malrix over Fg. This yields fhe Gabidulin code 

CG{q,n,t,k) := {Af G M„xt(IFg) : / G Fgt[x] is g-linearized and degg(/) < A: - 1}. 

The Gabidulin codes are similar to fhe classical Reed-Solomon codes. However, if applying Sudan’s lisl 
decoding idea lo decoding of fhe Gabidulin codes, we gel only unique decoding (see ifTSll i. 

In order to enlarge lisl decoding radius of fhe Gabidulin codes, Mahdavifar and Vardy IT^ considered 
folded Gabidulin codes. As a resull, fhe rafe fends fo 0. In fhe nexl subsecfion, we consider evaluafions of 
Iwo-variable polynomials fo obfain rank-mefric codes wifh good lisl decodabiily. 
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2.2 Construction 


Let us fix some notations at the beginning. Let n,m he positive integers with m ^ n {m and n are 
propositional and both tend to oo). Let r be a prime power and ehoose a positive integer k with k ^ r — I 
(both r and k are eonstant and independent of n, m). Put q = for some £ with gcd(r — l,n£) = 1 (£ is a 
eonstant and henee qis a eonstant as well). Fix a primitive element 7 of F*. 

We have the following faets: 

• — 7 is irredueible over F,., and henee it is irredueible over F^n as well sinee gcd(r — 1 , n£) = 1 . 

• = jx mod x'^~^ — 7 . 


Consider the two-variable polynomial spaee over F^n 

r m—l 


Vq{n,k,m)[x,y] := S ^ : fi{x) G Fqn[a;] and deg(/j(x)) ^ /c - 1 for all 0 ^ ^ m - 1 


i=0 


Let {ai,a 2 ,..., an} be an F^-basis of F^n. For eaeh polynomial / = fiix)y‘^" G 'Pqin, k, m)[x, y], 

we define a matrix 



/ /(I, at) 

/(7,ai) 

/(7^al) •• 

• f{Y ^al) 

\ 

My: = 

/(I, 02 ) 

f { 1 , 012 ) 

/(7^a2) •• 

• f{Y~^,Oi2) 



\ /(I, an) 

f{l,0'n) 

7 ( 72 , an) •• 

■ f{Y~‘^,an) 

/ 


Each entry in the above matrix is viewed as a row vector of F”. Thus, My is an n x ((r — l)n) matrix over 
¥q. Set t = {r — l)n. Let Cq{n, k, m, r) be the collection of Mf for all / G Pq(n, k, m)[x, y]. 

Lemma 2.1, The distance and rate ofCq{n, k, m, r) satisfy 


d{Cq{n, k,m,r)) ^ n — m + 1 and 


log 

R{Cq{n,k,m,r)) := . ^ 

(r — Ijn^ 


k 

-X 

r — 1 


m 

1 

n 


respectively. 


Proof. The size of Vq{n, k, m) [re, y] is Furthermore, it is easy to see that Cq{n, k, m, r) is an Fg-linear 
space. Hence it is sufficient to show that the rank of My is at least n — m + 1 for every nonzero polynomial 

f{x,y) G Vq{n,k,m)[x,y\. 

Let / = fi{x)y‘^’' in Vq{n, k, m)[x, y] be a nonzero polynomial. Suppose that My has rank less 

than n — m + 1. Then the solution space U C F” of zMy = 0 has dimension at least m. Let V be the ¥q- 
subspace of F^n given hy V = ^iOti : {ui,U 2 , ..., Un) G f7}. Then dimF,j(C) = dimF,j(C/) ^ m. 

For each 0 ^ j ^ r-2, Let gj{y) = fij^^y). Then, every a in C is a root of the polynomial 
gj{y). Since deg{gj{y)) < m — I, the polynomial f{y^,y) = gj{y) is identical to 0. This means that the 
coefficients of gj{y) are zero for any 0 ^ f ^ m — 1. As the degree of fi{x) is at most A: — 1, we 

conclude that fi{x) are the zero polynomials for all 0 ^ i ^ m — 1. This is a contradiction and the proof is 
completed. □ 

Remark 3. The code Cq{n, k, m, r) is an MRD code if and only if A: = r — 1. 
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3 List decoding 


Suppose that a codeword Mj is transmitted and Y = is received with at most e errors, 

i.e., rank(Mj — Y)^e. Our goal in this section is to recover Mf, or equivalently the polynomial f{x, y) G 
'P, (n, k, m)[x, y]. First we prove a lemma on rank of matrices. 

Lemma 3.1. Let X,Z ^ M„xt(]Fq) with rank(X — Z) ^ e. Then dimFg((X) n {Z)) ^ dimF^((X)) — e, 
where {X) stands for the row space of X over Fg. 

Proof It is easy to see that the two Fg-spaces {X) + {Z) and {X — Z) + {Z) are equal. Thus, 

diiiiF, ((^))+dimF, {{Z))- diniF, ((X) n (Z)) = diiiiF, ((X - Z))+diniF, {{Z))- diniF^ ((X - Z) n (Z)). 

This gives 

dimF,((X) n (Z)) = dimF,((X)) - dimF^((X - Z)) + dimF^((X - Z) n (Z)) ^ dimF,((X)) - e. 

The proof is completed. □ 

3.1 Interpolation polynomials 

We fix a parameter s with 1 ^ s ^ r — 1. 

Definition 2 (Space of interpolation polynomials). Let C be the space of polynomials Q G Fgn [x,y,zi,Z 2 , 
...,Zs\ of the form Q{x,y,zi,Z 2 , ■■■ ,Zs) = Ao{x,y) + Ai{x,zi) + A 2 ix,Z 2 ) + • • • + As{x,Zs), with 
Aq{x, y) G Vq{n, r—1, n—e)[x, y] and each Afx, Zi) G Vq{n^ r—k^ n—e—m+lfx, Zi]fori = 1,2,... , s. 

Lemma 3.2. Ife< ^^ there exists a nonzero polynomial Q G £ such that Q{'yfai,yij, 
yij+i ,..., yij+s-i) = Ofor i = 1, 2,... , n and j = 0,1, 2,... , r — 2. Note that if j + 5 — 1/5 bigger 
than r — 2, we replace y* by mod r-i- Furthermore, such a polynomial Q can be found using 

0{n^) operations over Fgn. 

Proof Note that £ is an Fgn-vector space of dimension (r — l)(n — e) + s(r — k){n — e — m + 1). This 
dimension is bigger than n(r — 1) by our choice of m and k. The conditions to be satisfied in the Lemma 
give rise to n{r — 1) homogeneous linear conditions on Q. Since n(r — 1) < (r — l)(n — e) + s(r — 
k){n — e — m + 1) in our setting, there must exist a nonzero Q £ C that meets the interpolation conditions 
Q{jfai,yij,yij+i,yij+ 2 , ■ , yi,j+s-i) = 0 for / = 1, 2,... , n and j = 0,1,... , r - 2. Finding such 
a polynomial Q amounts to solving a homogeneous linear system over Fg^ with n(r — 1) constraints and 
diiiiF^n (£) = (r — l)(n — e) + s(r — k){n — e — m + 1) unknowns, which can be done in 0(n^) time. □ 

Lemma 3.3. Let f G Vq{n, k, m)[x, y] be a polynomial. Suppose that the codeword Mj is transmitted and 
Z = {yi,j)nx{r-i) (yi,j ^ received with at most e errors. Assume that e < and let 

Q{x,y, zi, Z 2 , ■ ■ ■, Zs) be the interpolation polynomial given in Lemma \L2\ Then 

for all j = 0,1,2,... ,r — 2. The above = means that the polynomial on the left is identical to 0. 
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Proof. Note that e < < n — m + 1. Since e and n — m are both integers, we have 

e < n-m. The polynomial <3(7^ ?/,/(t^ y),?/),?/),•• • ,/(7^■^*■^ y)) has degree at 
most q^~^, moreover it is g-linearized. Denote by A and B the n x rn matrices ((ai, 02 ,..., an)'^,Mf) 
and {{ai,a 2 , ■ ■ ■, an)'^, Y) over Fg, respectively. 

It is clear that rank(^ — i?) = rank(My —y) ^ eandrank(74) = n. Thus, by Lemma lTTl dimw^ ((A) n 
{B)) ^ n — e > m. This implies that exists an Fg-subspace U of spanjai, 02 , • • •, ctn} of dimension at 
least m such that, for every a = Ya=i ^ ^ "'hh Q G Fg, one has 


'^avij+u-i = '^Cif{'y^+^ ^a^) = / ( 7 ^+“ | = /( 7 ^+“ S a) 


j=l i=l 

for u = 1, 2,..., s. Hence, 


i=l 


0 — 'y ^ CiQ['yf cxj, Hij, 1 ) 

j=i 

= ^ I c^Ao(7^a^) + '^CiAu{'yfyi,j+u-i) | 

i=l \ u=l / 

/ n \ s / n ^ 

= ^0 ['7^ ,'^Ciai\ +'^Au CiVij+u-i 


i=l 


u=l 


2=1 




U=1 


= Q(7^a,/(7^a),/(7^■^^«),/(7^■^^a),••• ,/(7^'^^ S®))- 

As the degree of Qi'yfy, fi'yfy), /(7^+S y), /(7^■^^ y), • • • , /(7^'^^"\ y)) is at most g™"! The desired 
result follows. □ 


Lemma 3.4. Let f = YT=o^ /*( G Vq{n,k,'m)[x,y] be a polynomial. Suppose that the codeword 
Mf is transmitted and Y is received with at most e errors. Assume that e < and let 

Q{x, y, zi, Z 2 , ■ ■ ■, Zs) = Ao{x, y) + Ai(rE, zi) + A 2 {x, Z 2 ) + • • • + Zg) be the interpolation poly¬ 
nomial given in Lemma\3f^ Write AQ{x,y) = AQ^i{x)y^^ and Ayj{x,z) = Ym=o~^ 

for 1 ^ w ^ s. Then we have 


S 

it;=l i+v=u 


for all Q ^ tt ^ n—e— 1 , where g^^\x) stands for gf x'^ for a polynomial g{x) = Yl^obiX^ ^ Fg"[aj] 
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Proof. By Lemma[331 we have 


0 = \y)) 

n—e—1 s n—e—m /m—1 

= Y1 ^o,«(7^')y‘'“ + E E E 

u=0 'W=l i=0 \ i?=0 

n—e—1 n—e—1 / s \ 

= Y. Ji«A'i’)y-'+ E E E -4«.,.7)/7(7“’+"“') 

ti=0 U=0 \w=li-\-V=U / 

This gives 

S 

74o,n(7^) + E E A^Al^)f^\r+^-^) = 0 

w=l i+v=u 

for all 0 ^ tt ^ n — e — 1 and 0 ^ y ^ r — 2. This implies that the polynomial 

S 

74o,n(x) + E E "4«,,i(x)/W(7"'"^x) 

it;=l i^v=u 

has at least r — 1 roots. On the other hand, this polynomial has degree at most A: — 1 ^ r — 2. The desired 
result follows. □ 

3.2 Analysis of list and list size 

Before discussing the list, let us introduce periodic subspaces that were defined in ifT^ . For a vector a = 
(oi, 02 ,..., Oat) G and positive integers fi ^ t 2 ^ we denote by projj^^ ^ its 

projection onto coordinates ti through t 2 , i.e., projj^^ (^) = (otu oti+ii • • • > “* 2 )- When ti = 1, we 
use projj(a) to denote proj [2 i](a). These notions are extended to subsets of strings in the obvious way: 
P’^oj[h,t2](‘S') = {proj[7,i2](x) : X G 5}. 

Definition 3 (Periodic subspaces). For positive integers u, b, A and n := 6 A, an affine subspace iT C FJt is 
said to be {u, A, b)r-periodic if there exists a subspace W C F^ of dimension at most u such that for every 
j = 1, 2,..., 6 , and every “prefix” a G Fg'^ the projected affine subspace o/F^ defined as 

{proj[(j_i)A+ijA](x) : xeH and proj(g_i)A(x) = a} 

is contained in an affine subspace of¥^ given by W + Vafor some vector Va G F^ dependent on a. 

Now we return to finding lisf of polynomial candidafes. 

Lemma 3.5. Let f = € 'Pq{n, k, m)[x, y] be a polynomial. Suppose that the codeword My 

is transmitted and Y is received with at most e errors. Assume that e < Ar-k){n-m+i) ^ Then solutions of 
^form an {s — 1, in{r — l),m)r-periodic subspace of size at most 

Proof. Note that for u G [0, n — e — 1], the solutions of ([3]l give the list of the candidates. 



Let us start with u = 0. Then (O gives the equation 


Ao(a;) + ^ ^x) = 0 (4) 

it;=l 

Note that (x) = fo{x). In the residue ring F^n[x]/(x'’ ^ — 7 ), the equation dUl becomes 

^o,o(a^) + ^ ^w,o{x){fo{x)Y"’ ^ = 0 mod x'’”^ - 7 . (5) 

W=1 

Since x^~^ — 7 is an irreducible polynomial over ¥gn, the residue ring [x]/(x'’“^ — 7 ) ~ Fg„(r-i) is 
a field. Because the degree of /o(x) is at most r — 2, all solutions of /o(x) in the equation (|5]l form an 
affine space VL + vi for some vi E F^n [x]/(x'’“^ — 7 ) ~ where W is the solution space of the 

F^-linearized polynomial 

S 

Ay^^o{x)z^ = 0 mod x^“^ — 7 ( 6 ) 

if;=l 

and therefore it has dimension at most s — 1 over F^. 

Note that once /o(x) is recovered, all are recovered as well for 

By induction, assume that all fi{x) have been recovered for 0 ^ z ^ a — 1. Next, we want to recover 
/a(x) from the following equation 

^o,a(;c) + ^ ^ Ay,^i{x){fY\x)Y"’ ^=0 modx^“^- 7 . 

w=l i-\-v=a 

Rewrite the above equation into the following 

s a—1 S 

AoA^) + ^ o{x){fY\x)Y™ ^=0 mod x'" ^ — 7 (7) 

w = l V = 1 W = 1 


By the similar arguments, one can show that all solutions of fY\x) = fa{x) in the equation (I7]l form an 

affine space VL+Vq for some Vq E Fgn[x]/(x^“^— 7) ~ Apparently, all possible (/o(x), /i(x),..., /m-i(x)) 

in the list form an {s — 1, in{r — 1), m)^-periodic subspace. 

To compute the list size, we note that each fi{x) has at most solutions. Thus, the list size is bounded 

As m is promotional to n, the list size in Lemma iTSl becomes exponential. We will prune down 

the list size by pre-encoding through the special structure of periodic subspace. 

Remark 4. Each fi{x) is a solution of (jT). As deg(/i(x)) ^ A: — 1, there exist an g{x) E Fqn[x] with 
deg(( 7 (x)) ^ A: — 1 such that /(x) E g{x) + W', where W' = W Ci {h{x) E F^n [x] : deg{h) ^ A: — 1} and 
W is the solution space of ®. This implies that our message /(x) actually belongs to an {s — 1, ink, m)r- 
periodic subspace of size at most 
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3.3 Decoding radius 


Finally, let us compute the decoding radius from the list decoding in this section. 


Put e = 


s{r—k){n—m-\-l) 
r—H-s(r—A:)) 


— 1 and r = e/n, then we have 


s{r — k) 


r — 1 + s(r — k) 


1 - — ) = 
n 


s{r — k) 


r — 1 + s{r — k) 


1 — Rx 


r — 1 


If we take s = r — 1 and A: = r — c for some 1 ^ c ^ r — 1, then we get 

c 


r = 


c + 1 


r — 1 

1 -X R 

r — c 


(8) 

(9) 


4 Pruning list size 

In this section, we prune list via subspace design and h.s.e. The subspace design provides a deterministic 
algorithm with a constant list size, while h.s.e provides a randomized algorithm with a smaller constant list 
size. 

4.1 A deterministic algorithm 

The subspace design was first introduced in ifTTl to pin down list. 

Definition 4. A collection S of¥r-subspaces Hi,, Hm Q called a {v, A, A)r-subspace design if 
for every ¥r-linear space W C of dimension v, 

M 

dimp^ (Hj n W) < A. 

i=l 

In order to pin down the list to a constant size, one has to consider intersection with subspace evasive 
set introduced in |[T4l . 

Definition 5. A subset S o/F^ is called a (v, A, A)r-subspace evasive if for any subspace W of¥^ of 
dimension v, the intersection S r\W has size at most A. 

The following result tells that one can obtain a small list from intersection of a periodic subspace with a 
suitable subspace design . 

Lemma 4.1. t /f77ll731/ ) Let H be a {v, A, b)r-periodic subspace, and let {Hi,H 2 ,..., Tffe} be a {v, A, A)^- 
subspace design. Then H H {Hi x • • • x Hh) is an affine subspace over F^ of dimension at most A. 

Assume that A has a divisor A 2 log^ A for some c > 1 and thus we have > A. Let qi = and 

A' = A/A. 

Lemma 4.2 (lUl). Let e > 0 be a small real. Let v be a positive integer and set h ~ vje to be a positive 
integer. Assume that qi ^ h and Zet 71 ,..., 7 /j be distinct nonzero elements o/F^^. Let di > d 2 > ■ ■ ■ > 
dh > 1 be integers. Define fi,..., G F^^ [xi,..., Xh] as follows: 

h 

fi{xi,... ,Xh) = '^7jxf . (10) 

f=i 


10 










Then: 


• The variety V = {x E | /i(x) = ••• = /^(x) = 0} satisfies | V n i7| < {difi for all v- 
dimensional affine subspaces H C 

• If at least v of the degrees di are relatively prime to qi — 1, then | V H F^^ | = qi~^. 

• The product set (V n F^J^ C F^^ is (a, (di)“, A')q^-subspace evasive for all a < v. 

The below statement follows immediately from Lemma IT2] and the fact that when the dj’s are powers 
of r, the polynomials fi defined in (fTOl) are F^-linearized polynomials. 

Corollary 4.3. Let £> Obe a small real. Let v be a positive integer and set h ~ v je to be a positive integer. 
Assume that qi ^ h. By setting di = r^~^,d 2 = ... ,dh = 1 in Lemma \4~2\ one obtains an explicit 

(a, A')q.^-subspace evasive set S of size for all 1 < a < v. Furthermore, S is an ¥r-linear 

space of dimension (1 — e)AA' = (1 — e)A and a basis of S can be computed in time poly(A, log r). 

Guruswami and Kopparty ifTOl gives an explicit subspace design based on Wronskian determinant. Their 
construction implies the following fact. 

Lemma 4.4. For e E (0,1), positive integer v with v < eA' jA, there is an explicit collection of M = 
/v) ]pA'^ each of codimension at most eA' and form a {v, 2v/£, A')q^-subspace design. 

Moreover, bases for N ^ M elements of this collection can be computed in time poly(A^, A, r). 

It is required in Lemma |4^ that qi > A' (see lITOl ). This condition is satisfied by our choice of parame¬ 
ters since qi = > A. 

Combined Lemma l4^ with Corollary 14.31 one can prove the following result. 

Proposition 4.5. For a positive integer v < eA'jA, there exists an explicit {y,2v{h — l)/£, A)r-subspace 
design {F[i,F[ 2 ,..., Hjy} with N = and Hi C F^^ = F^ of codimension at most 2eA . 

Proof. The proof of this proposition can be found in ifTSl Theorem 3.6] except for adjustment of parame¬ 
ters. To convince the reader of that our parameters work properly, we give a complete proof here. From 
Lemma l4~4l we can construct M = q^^^^ subspaces Vi,V 2 ,..., Vm with codimension at most eA' over 
Fqj. By Corollary 14.31 we know that there exists an explicit F^-linear space S of size q\^ in F^^^^ which 
is (a, A')g^-subspace evasive for a < v. Put Hi = Vi Ci S. Since both Vi and S has codimension 

at most eA' in F^ , the intersection Hi has codimension at most 2eA' in F^^, i.e., Hi has codimension at 
most 2eA in Fj^. Let PF be a r;-dimensional Fr-linear subspace in F^^ . Then one can find a t>-dimensional 
Fqj-linear subspace Wi in F^^^ such that W C Wi. 

The subspace design of {Vi\fLi implies that 

M 

dimp^^ (Vj n PFi) < 2r;/g (11) 

i=l 

Denote by Vi the dimension dimp^^ (Vi n Wj). As dimp^^ (^i) < v, we have that Vi < v. Since S' is a 
(uj, A')qj-subspace evasive set, we have \S n (Vi n PFi)! ^ Hence, dimp^(Hi n Wf) ^ 
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Vi{h — 1) = (/i — 1) dimp^^ {Vi n Wi). Summing all dimensions up gives 

MM M 

dimF ^{Hj n VK) ^ dimp ^{Hj n Id^i) ^ {h - 1) y^dimp^^ {Vj n Wi) < 2v{h - l)/e. 

i=l 2=1 2 = 1 

The proof is completed. □ 

Theorem 4.6. [Part (i) of Main Theorem] Let r be a prime power and let c be an integer between 1 
and r — 1. Let e > D be a small real. Let q = with gcd(r — l,in) = 1. Then there exists an 
explicit rank-metric code in M„x(r-i)n(®*'g) ^ ihat is (r, 0(exp(l/e^)))-Z/5f decodable with 

T = ~ ^ i? — e^. Furthermore, encoding and list-decoding algorithms are in polynomial time 

poly(n,exp(l/e)). 


Proof. In Proposition 14.51 we set u = s — 1, A = nl{r — 1) and /i « (s — l)/e. Each Fli can be viewed as 
an F^-subspace of the polynomial space {g{x) E Fgn[x] : deg( 5 (x)) ^ r — 1}. 

We consider the polynomial set 


' m—1 


'Pq{n,k,m)[x,y] := 


fi{x)y'^'' : fi{x) E Hi and deg(/i(x)) ^ Zc - 1 for all 0 ^ i ^ m - 1 


i=0 


and the code Cq{n, k, m, r) = {Mf : f E Pg(n, k, m)[x, y]}. It is clear that Cq{n, k, m, r) is F^ -linear and 
it is a subcode of our original code Cq{n, k, m, r). It is easy to see that 


m—1 

d\xm^{Vq{ri,k,rri)[x,y]) ^ dimF^(i2j n {fi{x) E Fqn[x] : deg(/j) ^ fc - 1}) ^ m{nik - 2eA). 

*=o 

( 12 ) 

By (IT^ . the rate R of Cq{n, Zc, m, r) is lower bounded by 


R = 


^ogq\Vq{n,k,m)[x,y]\ k 


(r — l)rV 


.. m m „ 

^ -X- 2e X — ^ R — 2e. 

r — 1 n n 


(13) 


Suppose a codeword Mf with / E 'Pq{n, Zc, m) [x, y] was transmitted and Y is received with at most e errors, 
where e < fc)^ • Then all list belong to the solution space if of (l3]l which is an (s — 1, ^n(r — l), m)^- 

periodic subspace. By Lemma ldTl and Proposition 14.51 the list size for the code Cq{n, k, m, r) is = 

exp(0(s^/e^)) = exp(0(l/e^)). 

The decoding radius of Cg(n, Zc, m, r) is equal to those of Cq{n, Zc, m, r). By (O, we have 


T = T 





for 1 ^ c ^ r — 2. Setting e = x 2e gives the desired result. □ 

Remark 5. In the code Cq{n, Zc, m, r), if we set s « 4/e^, r « 4/e^ and Zc/(r — 1) = e/2, then one gets 
the list decoding radius f ^ 1 — R — e. \n this case, the list size is becomes )). This proves 

Corollary Oi)- 
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4.2 A Monte Carlo algorithm 

We first define subspace evasive for a particular famyly of affine spaces. 

Definition 6. /[TTl/ Let T be a family of affine subspace of¥f and each of subspace in T has dimension at 
most V. A subset S <zVf is called {T, v, k, L)r-evasive if\Sr\ W\ ^ Lfor every W ^ T. 


Now we are able to state our randomized result. The HSE map below is actually defined from hierar¬ 
chical subspace-evasive sets (see MM). 

Proposition 4.7. Suppose b, A, v, a are positive integers and ( satisfies the conditions h > {a + 1)/C 
and A > T be a family of (v, A, b)-periodic subspaces of with | where 

K = bA. Then there exists a randomized construction of an injective map HSE.' 

poly{mA, l/(^, log r, v) such that with probability at least the image o/HSE is an {T, bv, k, ^^)- 

subspace evasive set. Further, given a {v, A, b)-periodic subspace H ^ T, one can compute the set 
{x G Fr^ : HSE(x) G Hf of size at most in deterministic poly{mA, r’', 1/C) time. 

Theorem 4.8. [Part (ii) of Main Theorem ] Let r be a prime power and let c be an integer between 1 and 
r — 1. Let e > 0 be a small real. Let q = with gcd(r — 1, £n) = 1. Then with high probability one can 
randomly sample a rank-metric code in M„x(r-i)n(l^g) with rate R that is (r, 0{l/£))-list decodable with 

f = ~ ^ i? — Furthermore, encoding and list-decoding algorithms are in polynomial time 

poly(n,exp(l/e)). 


Proof. In Proposition 14.71 set n = s — 1, 6 = m and A = n£k. Let F be the set of all (s — 1, n£k, m)r- 
periodic subspaces in A periodic subspace H C consists of a fixed subspace W C F^ of 

dimension at most s — 1 and affine space proj[Q_^) 4 _,_^ {H) = W+srj with Vj G Fg„ for j = 1, 2,..., m. 

Thus, there are at most Ng x periodic subspaces in F, where Ng denotes the number of subspaces in 
F^ of dimension less than or equal to s — 1. As m tends to oo and s is a constant, one clearly has 


s-l 


jv, = E 


j=0 


A' 


< s 


■ A ' 
s — 1 


^ (s - ^ r 


mA 


where denotes the Gaussian binomial coefficients that is equal to the number of subspaces of F^ of 
dimension i. Thus, in total we have |J^| ^ 

In Proposition 14.71 we set a = 2. Let HSE be the injective map given in Proposition 14.71 F^.^ 2 C)mA 
F™'^. As F™^ ~ Vg (re, k, m) [x,y], we can identify these two spaces under a fixed basis and hence HSE(x) 
can be viewed as a polynomial in Vq{n, k, m) [x, y]. Now our encoding becomes 

p(i- 2 C)mA ^ p^A ^ p^^ri,k,m)[x,y] ^ M„x(.-i)n(®’<?); X ^ HSE(x) ^ Mhse(x)- 


Denote by Cg(n, A:, m, r) the image of the above map. Thus the rate of the code Cg(n, A:, m, r) is 

^ lose 7 

R = ^ = (1 - 2C) X-- X - = (1 - 2C)R ^R-2C, (14) 

re^(r — Ij r — 1 re 

where R is the rate of Cq{n, k, m, r). 
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Suppose a codeword -/VffjsE(x) was transmitted and Y is received with at most e errors, where e < 
Remark m HSE(x) belongs to an (s — 1, A, -periodic subspace. By Proposition 
I4.71 we obtain a list of solutions of size 0(1/^)- Furthermore, by lIT^ the list can be computed in time 

poly(n, r^). 

The decoding radius of Cq{n, k, m, r) is the same as the one of Cq{n, k, m, r). By ([9]), we have 


T = T 





for 1 ^ c ^ r — 2. Setting e = x 2(^ gives the desired result. □ 

Remark 6. In the code Cq{n, k, m, r), if we set s « 4/e^, r 4/e^ and kj{r — 1) = ej2, then one gets the 
list decoding radius r « 1 — i? — e. The list size is 0{l/C) = 0{l/e). This proves Corollary II. 3 l ii). 
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